Gartner Blog Network

If Detection is “Security 101”, Why do we Keep Getting Nailed with APTs?

by Neil MacDonald  |  April 27, 2011  |  3 Comments

I’ve made the argument before that complete information security protection requires a combination of prevention and detection. Further, I believe we have overinvested, become overly reliant on and dangerously complacent with our preventative capabilities. The result is we are exposed and are woefully underinvested in our detection capabilities.

At first, my assertions may sound counterintuitive. Detection is foundational security stuff –“Security 101” so to speak. Haven’t we been doing this for years?

If that is true, why do advanced intrusions that bypass traditional mechanisms persist undetected for extended periods of time (e.g. RSA, Google, TJX, Sony, etc etc) ? Something is clearly not working.

The disconnect lies in what we are detecting today and how we are detecting it and how this needs to evolve moving forward.

Think about this for a moment: Detecting attempted intrusions is quite a different problem than detecting successful intrusions.

Let me explain. There are basically two ways you can identify if something is bad.

1) You can figure out what “bad” looks like and then look for similarities to this. You could even get more clever and based on the knowledge of a vulnerability, figure out what “bad” would have to look like in order to exploit the vulnerability and then use these generic models of “badness” to stop unknown attacks on known vulnerabilities. Either way, detection and prevention of the attack its based on models of what is “bad”. This is the core of traditional AV and IPS protection and we are pretty good at this. So, to the extent that these can detect attacks – yes, we been doing this for a long time. But they aren’t detecting successful attacks that bypass models of what “bad” is  It is precisely these mechanisms that are failing us with APTs because a targeted and unique attack has no predefined model of badness (aka signature, IPS rule, vulnerability-facing filter) to catch it.

2) The other way to identify that something is bad is to get a really, really solid idea of what “good” looks like and then look for meaningful differences from this. This is the heart of advanced monitoring and understanding what normal baseline patterns of behavior at all levels (packets, sessions, applications, transactions, etc) looks like. We are not good at this. Note that putting an IPS into ‘detect’ mode doesn’t deliver this type of detection- that’s just another form of #1 above. Doing #2 right requires a large number of sensors and detailed analysis of activities in order to identify anomalous behavior which goes beyond log monitoring and current generations of security information and event management. This is precisely why I believe information security is becoming a big data problem and why advanced analytics will be at the core of the next generation of all security platforms – endpoint, network, edge, data and so on. Also, once we have solid models of “goodness” we can focus on removing these and looking at what’s left. This second approach is exactly what I was talking about in my recent blog post on finding the APT needles in the IT haystack. You don’t have to know what needles look like, you only have to know what “good” (high assurance) hay looks like, remove this and see what is left.

The next big area of spending in information security will be to beef up our capabilities in the second category – more sensors, more monitoring and more analytics delivering improved situational awareness of advanced intrusions which bypass all of our first category protection and detection mechanisms.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: beyond-anti-virus  next-generation-security-infrastructure  security-of-applications-and-data  

Tags: adaptive-security-infrastucture  cloud-security  defense-in-depth  information-security  next-generation-security-infrastructure  security-summit-na  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on If Detection is “Security 101”, Why do we Keep Getting Nailed with APTs?

  1. Lani Refiti says:

    Good point and interesting to see RSA’s acquisition of NetWitness soon after or simultaneously with their breach disclosure.

    APT’s are a difficult thing to quantify if you are doing a Risk Assessment, which is traditionally what you would do when evaluating technologies. I mean, who would put in a risk assessment that they think they’re a good target for an APT type attack?

    I’ve seen attacks involving APT’s on Government/Agricultural departments where you’d would have never in your wildest dreams have thought they would be a target. Only to find out that a negotiating team was on their way to China to negotiate contracts etc.

    I think you need multiple type defences both on your perimeter, within your network and @ your endpoints using things like Application control, Whitelisting, Behavioural type IDS/IPS to successfully defend against APT’s.

    What I’m hearing from customers is “if RSA/Google etc can’t defend against APT’s with all their resources, what hope do we?”

  2. Adam Hils says:


    I agree philosophically.

    The question becomes whether this uber-whitelisting-analytic approach ever becomes vigorous enough to form truly solid models of goodness.

    As with WAFs, “learning” mode would be endless in this paradigm, and false positives would run rampant.

    Even if organizations deploy uber-analytics successfully, they should still refresh their firewalls every 3 years and keep their AV subscriptions current.

  3. Neil MacDonald says:


    I liked Jeff Merkel’s (from MANDIANT) comment on an APT panel I ran at RSA this year. He said something like: “get over it, you are already infected, you just don’t know it yet”.

    So we absolutely must change our mindset to one focused on 100% prevention (which was a fallacy to begin with) to one in which we assume we will be compromised and need to get better at detecting this.

    Does this mean we give up on prevention?

    ABSOLUTELY NOT. But what it does mean is that we are likely overinvested on prevention and not heavily invested enough on the detection side.

    I also agree with your comment on defense in depth. This foundational security principle remains as true now as ever. Each layer in our protection model should make it difficut for an intrusion to be successful and to go undetected.


Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.